SRX

Expand all | Collapse all

Problem Dynamic VPN. Correctly connected, Correctly policy and NAT but, NO able to reach private net.

Jump to Best Answer
  • 1.  Problem Dynamic VPN. Correctly connected, Correctly policy and NAT but, NO able to reach private net.

    Posted 04-27-2018 02:14

    Hi,

    last week I configured one dynamic VPN profile for VPN client access.

    It was working perfectly, Smiley Happy  but after one weekend of changes, I came back to re-connect in VPN from remote location and I found that VPN clients are not any longer able to connect on internal resources.

    In the specific:

    1) Pulse is connected correctly

    2) Connecting on internal resources are not working.

     

    Extract of the configuration:

    set security dynamic-vpn access-profile remote_access_profile
    set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 10.0.0.0/8
    set security dynamic-vpn clients wizard-dyn-group ipsec-vpn wizard_dyn_vpn
    set security dynamic-vpn clients wizard-dyn-group user vpn123
    
    set access profile remote_access_profile client test123 firewall-user password "$9$Lyoxdb4aUji.hSlvW8dV/9A0IcLX-w2aFnRSeWN-4oJGjq/9pOBE"
    set access profile remote_access_profile address-assignment pool dyn-vpn-address-pool
    set access address-assignment pool dyn-vpn-address-pool family inet network 172.16.0.0/24
    set access address-assignment pool dyn-vpn-address-pool family inet range d-range low 172.16.0.150
    set access address-assignment pool dyn-vpn-address-pool family inet range d-range high 172.16.0.200
    set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 10.20.20.100/32
    set access firewall-authentication pass-through default-profile remote_access_profile
    set access firewall-authentication web-authentication default-profile remote_access_profile
    
    set security nat source rule-set Zone_CONTACT-INSIDE-Zone_I-1 from zone CONTACT-INSIDE
    set security nat source rule-set Zone_CONTACT-INSIDE-Zone_I-1 to zone INTERNET
    set security nat source rule-set Zone_CONTACT-INSIDE-Zone_I-1 rule NO_NAT-VPN_Client match source-address-name vpn-clinet_net
    set security nat source rule-set Zone_CONTACT-INSIDE-Zone_I-1 rule NO_NAT-VPN_Client match destination-address-name HQ_net
    set security nat source rule-set Zone_CONTACT-INSIDE-Zone_I-1 rule NO_NAT-VPN_Client then source-nat off
    
    set security policies from-zone INTERNET to-zone CONTACT-INSIDE policy VPN_Admin match source-address any
    set security policies from-zone INTERNET to-zone CONTACT-INSIDE policy VPN_Admin match destination-address any
    set security policies from-zone INTERNET to-zone CONTACT-INSIDE policy VPN_Admin match application any
    set security policies from-zone INTERNET to-zone CONTACT-INSIDE policy VPN_Admin then permit tunnel ipsec-vpn wizard_dyn_vpn
    set security policies from-zone INTERNET to-zone CONTACT-INSIDE policy VPN_Admin then log session-close
    set security policies from-zone INTERNET to-zone CONTACT-INSIDE policy VPN_Admin then count
    

    Maybe more relvant, (but I didn't find something of specific), is the debug trace log:

    Apr 27 11:48:52 11:48:52.496206:CID-0:RT:jsf sess close notify
    
    Apr 27 11:48:52 11:48:52.496206:CID-0:RT:flow_ipv4_del_flow: sess 7775, in hash 32
    
    Apr 27 11:48:52 11:48:52.496206:CID-0:RT:flow_ipv4_del_flow: sess 7775, in hash 32
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:<172.16.0.165/33539->10.10.10.254/1;1> matched filter filter1:
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:packet [60] ipid = 17960, @0x43e77e5a
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 1, common flag 0x0, mbuf 0x43e77c00, rtbl_idx = 0
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow process pak, mbuf 0x43e77c00, ifl 0, ctxt_type 1 inq type 6
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT: in_ifp <junos-host:.local..0>
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x67099470
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:host inq check inq_type 0x6
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:tifp NULL
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:pkt out of tunnel.Proceed normally
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  pp0.0:172.16.0.165->10.10.10.254, icmp, (8/0)
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT: find flow: table 0x5db6db28, hash 39479(0xffff), sa 172.16.0.165, da 10.10.10.254, sp 33539, dp 1, proto 1, tok 16395
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  no session found, start first path. in_tunnel - 0x6027cdf8, from_cp_flag - 0
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  flow_first_create_session
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:First path alloc and instl pending session, natp=0x600ae428, id=5614
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  flow_first_in_dst_nat: in <pp0.0>, out <N/A> dst_adr 10.10.10.254, sp 33539, dp 1
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  chose interface pp0.0 as incoming nat if.
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 10.10.10.254(1)
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_routing: vr_id 4, call flow_route_lookup(): src_ip 172.16.0.165, x_dst_ip 10.10.10.254, in ifp pp0.0, out ifp N/A sp 33539, dp 1, ip_proto 1, tos 0
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:Doing DESTINATION addr route-lookup
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_ipv4_rt_lkup success 10.10.10.254, iifl 0x55, oifl 0x46
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  routed (x_dst_ip 10.10.10.254) from INTERNET (pp0.0 in 0) to vlan.10, Next-hop: 10.10.10.254
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_policy_search: policy search from zone INTERNET-> zone CONTACT-INSIDE (0x0,0x83030001,0x1)
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:Policy lkup: vsys 0 zone(11:INTERNET) -> zone(6:CONTACT-INSIDE) scope:0
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:             172.16.0.165/2048 -> 10.10.10.254/51799 proto 1
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  app 0, timeout 60s, curr ageout 60s
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  permitted by policy VPN_Admin(41)
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  packet passed, Permitted by policy.
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_src_xlate:  incoming src port is : 33539.
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_src_xlate: src nat returns status: 1, rule/pool id: 4/0, pst_nat: False.
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  dip id = 0/0, 172.16.0.165/33539->172.16.0.165/33539 protocol 0
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  choose interface vlan.10(P2P) as outgoing phy if
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:is_loop_pak: No loop: on ifp: vlan.10, addr: 10.10.10.254, rtt_idx:4
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:-jsf : Alloc sess plugin info for session 4294972910
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:[JSF]Normal interest check. regd plugins 27, enabled impl mask 0x0
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT: Allocating plugin info block for plugin(6)
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:[JSF] set ext handle 0x562a62a0 for plugin 6 on session 4294972910
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:[JSF]Plugins(0x40, count 1) enabled for session = 4294972910, impli mask(0x0), post_nat cnt 0 svc req(0x5)
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:[JSF]c2s order list:
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:               6
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:[JSF]s2c order list:
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:               6
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_service_lookup(): natp(0x600ae428): app_id, 0(0).
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  service lookup identified service 0.
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  flow_first_final_check: in <pp0.0>, out <vlan.10>
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:In flow_first_complete_session
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_first_complete_session, pak_ptr: 0x5c4f9e40, nsp: 0x600ae428, in_tunnel: 0x6027cdf8
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:construct v4 vector for nsp2
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  existing vector list 0x8284-0x5611b168.
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  Session (id:5614) created for first pak 8284
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:first pak processing successful
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  flow_first_install_session======> 0x600ae428
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT: nsp 0x600ae428, nsp2 0x600ae4b8
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  make_nsp_ready_no_resolve()
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  reverse route is optional
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:Doing jsf sess create notify
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:-jsf create notify: plugin id  6. rc 3
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:flow_do_jsf_notify_session_creation(): natp(0x600ae428): 0 SHORT_CIRCUITED: 0x00000000.
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:no need update ha
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:Installing s2c NP session wing
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:first path session installation succeeded
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  flow got session.
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT:  flow session id 5614
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT: vector bits 0x8284 vector 0x5611b168
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT: ****jsf svc chain: sess id 5614, dir 1, nat_done 0, pak pid 0, first pid 6
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT: plugin name junos-jdpi. action JSF_SESSION_ACTION_NONE, stbuf 0x0
    
    Apr 27 11:48:53 11:48:53.820725:CID-0:RT: jsf sess id ignore. sess 5614, pid 6, dir 1, st_buf 0x0.
    
    Apr 27 11:48:54 11:48:53.820725:CID-0:RT: jsf sess id ignore. sess 5614, pid 6, dir 2, st_buf 0x0.
    
    Apr 27 11:48:54 11:48:53.820725:CID-0:RT:All plugins have ignored session :5614
    
    Apr 27 11:48:54 11:48:53.820725:CID-0:RT:  existing vector list 0x8204-0x5611b1c8.
    
    Apr 27 11:48:54 11:48:53.820725:CID-0:RT:  existing vector list 0x8204-0x5611b1c8.
    
    Apr 27 11:48:54 11:48:53.820725:CID-0:RT:PKT-PROC for plugin junos-jdpi jbuf 0x608d6b50, sess jsf flags 0x0, rc 0
    
    Apr 27 11:48:54 11:48:53.820725:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0
    
    Apr 27 11:48:54 11:48:53.820725:CID-0:RT:  encap vector
    
    Apr 27 11:48:54 11:48:53.820725:CID-0:RT:  no more encapping needed
    
    Apr 27 11:48:54 11:48:53.820725:CID-0:RT:mbuf 0x43e77c00, exit nh 0x110010
    
    Apr 27 11:48:54 11:48:53.820725:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x5c4f9e40 associated with mbuf 0x43e77c00
    
    Apr 27 11:48:54 11:48:53.820725:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
    
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:<10.10.10.254/1->172.16.0.165/33539;1> matched filter filter2:
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:packet [60] ipid = 40725, @0x43e8a79a
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43e8a580, rtbl_idx = 4
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT: flow process pak fast ifl 70 in_ifp vlan.10
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:  vlan.10:10.10.10.254->172.16.0.165, icmp, (0/0)
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT: find flow: table 0x5db6db28, hash 11247(0xffff), sa 10.10.10.254, da 172.16.0.165, sp 1, dp 33539, proto 1, tok 16390
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:Found: session id 0x15ee. sess tok 16390
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:  flow got session.
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:  flow session id 5614
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:no fto but skip rerouting since route is optional
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT: vector bits 0x8204 vector 0x5611b1c8
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:ttl vector, out_tunnel = 0x6027cdf8
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:pre-frag not needed: ipsize: 60, mtu: 1422, nsp2->pmtu: 1422
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:  encap vector
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:  going into tunnel 67108881 (nsp_tunnel=0x6027cdf8).
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:  flow_encrypt: tun 0x6027cdf8, type 1
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT:lpak_init: lpak 0x5c775d18, paksize 60, machdr 0x0, iphdr 0x43e8a79a
    
    Apr 27 11:48:54 11:48:53.825226:CID-0:RT: ----- flow_process_pkt rc 0x11 (fp rc 0)

    Any suggestion for solve this problem?

     

    Many regards


    #dynamicVPN
    #vpnclient
    #SRX110


  • 2.  RE: Problem Dynamic VPN. Correctly connected, Correctly policy and NAT but, NO able to reach private net.
    Best Answer

    Posted 04-27-2018 02:41

    UPDATE:

    Unbelivable, but something was wrong on my windows machine or pulse secure vpn client!

    I used one other PC with same Pulse Secure version and it's working correctly!! (obliviusly same configuration on the SRX)

    Uninstal and re-install software on my client and the VPN started once again!!!

     

    Then, in case it's appenning also to you... Troubleshoot first client pulse 😉

     

    Bye